Error loading JWKS, because of 406 Response

[ucyo]

I there,

I am having problems connecting to our OpenID Connect service. The server rejects the request with an 406 HTTP error:

...
by: java.io.IOException: Server returned HTTP response code: 406 for URL: https://login.helmholtz-data-federation.de/oauth2/jwk
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
....

I tried curling the server, and it works fine:

$ curl -k https://login.helmholtz-data-federation.de/oauth2/jwk
{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","n":"<content-erased>"}]}

The context.xml is like this:

<?xml version="1.0" encoding="UTF-8"?>
<Context path="/app">
  <Valve className="org.bsworks.catalina.authenticator.oidc.tomcat85.OpenIDConnectAuthenticator"
       providers="[
           {
               name: hdfAAI,
               issuer: https://login.helmholtz-data-federation.de,
               configurationDocumentUrl: https://login.helmholtz-data-federation.de/oauth2/.well-known/openid-configuration,
               clientId: <xxx>,
               clientSecret: <xxx>,
           }
       ]"
       usernameClaim="email" additionalScopes="email" />
</Context>

Any suggestions on why this fails?

[levahim]

Hey,

Your server is very specific about the content type of the key set document it returns. It returns application/jwk-set+json and it does not like the authenticator sending it Accept: application/json.

Good catch, actually! I'll add application/jwk-set+json to the authenticator's Accept header and make a release.

[levahim]

Added support for application/jwk-set+json content type in release 2.2.4.

[ucyo]

Thank you! Now this error message doesn't appear anymore